Hi guys, thanks for reading.
In this query without sanitization (in MySQL):
SELECT * FROM logins WHERE username= AND password= ;
I can bypass this with username= 'or ‘1’='1 and the same for password.
I know that if I input username= whatever’ or ‘1’='1 then I log in with user “whatever” meanwhile “whatever” exists in the logins table and I no need to bypass password field.
But I don’t understand why if I input username= whatever and password= 'or ‘1’='1, I log in but not like user “whatever”. I don’t catch the point…
xtal
May 2, 2021, 4:31pm
2
The Operator Precedence of MySQL could be the answer.
First case
SELECT * FROM logins WHERE username='foo' OR '1'='1' AND password='bar'
Insert brackets to show the operator precedence:
SELECT * FROM logins WHERE username='foo' OR ('1'='1' AND password='bar')
Reduce the constant part:
SELECT * FROM logins WHERE username='foo' OR (true AND password='bar')
Reduce the constant part:
SELECT * FROM logins WHERE username='foo' OR password='bar'
If foo is a user name in the logins table or if bar is a password in the logins table, then a record will be found and a login is possible.
Second case
SELECT * FROM logins WHERE username='foo' AND password='bar' OR '1'='1'
Insert brackets to show the operator precedence ⇨
SELECT * FROM logins WHERE (username='foo' AND password='bar') OR '1'='1'
Reduce the constant part:
SELECT * FROM logins WHERE (username='foo' AND password='bar') OR true
Reduce the constant part:
SELECT * FROM logins WHERE true
In this case the condition is simply true, so the username foo and the password bar are not checked.
I mean a quick and dirty is just to comment out the password part.
This is a very simple form of sql.
you could put the user example'--+-
and not even need a password
there are many ways to comment out the line though so you have to play with it a bit sometimes.
The information above is super legit though. 100%
Many thanks to both, I think that I understand better SQL inyection now.